CVE-2026-39918
Vvveb before 1.0.8.1 contains a code injection vulnerability in the installation endpoint. The subdir POST parameter is written unsanitized into env.php without escaping or validation, allowing an attacker to break out of the string context in the define statement and achieve unauthenticated remo...